When to Start Worrying about the PCI DSS 3.0 SAQs

May 21, 2014 • Published Categories Best Practices Tags , , , , ,

NOTE: This post was published on May 21, 2014. Please see the follow-up post, published December 17, 2014, here.

Can you believe we are nearly halfway through 2014? The rapid pace of business (and life in general) can create a feeling that something is being missed, something that could sneak up and take you and your business by surprise.

And when it comes to change, no one wants to be taken by surprise. That’s why I’ve already spoken with many merchant acquirers, individual business owners and IT managers who have reached out with questions surrounding the new PCI DSS version 3.0 Self Assessment Questionnaires (SAQs).

While the 3.0 SAQs won’t go into effect until January 1st 2015, the notable differences between 3.0 and its predecessor (2.0) are certainly cause for concern when it comes to readiness. So when should you start planning for the new SAQs? And when must all your processes be in alignment?  Read on to find out.

The good news is you’re not behind

If your business has not yet begun to prepare for the 3.0 SAQs, the good news is that it is not behind. Merchants can continue to validate compliance according to the 2.0 SAQs until January 1, 2015. That means that if your business’s annual validation occurs in December, you won’t validate according to version 3.0 until December 2015.

Merchant service providers (MSPs) are also not behind in the process, even though they will have merchants using the 3.0 SAQs come January. That’s because PCI compliance partners like ControlScan are currently updating their simplified SAQ products to accurately reflect version 3.0 requirements. ControlScan partners can expect to see the updated SmartSAQ in the fourth quarter of this year.

How to be prepared when the time is right

Whether you are a merchant or a merchant service provider, there are advanced steps you can take to be fully prepared for PCI DSS version 3.0:

  • MSPs – Now is the time to begin educating yourself on the new 3.0 SAQs (A-EP and B-IP) and the scenarios in which they would apply.  Be sure to also understand the ASV scanning and penetration testing requirements for the various SAQ types (see our handy chart). We recommend you use this information to analyze and segment your merchant base by expected impact.
  • Merchants – If you have already validated your compliance for 2014, you can begin preparing for next year’s validation by reviewing and updating your security processes according to PCI DSS v3.0. If your validation date is later in the year, we recommend you use your 2014 validation process to ensure that all security-related processes and documentation are complete. Then, in the first quarter of 2015, contact your acquiring bank for information and education on how to transition to version 3.0, including which SAQ you will be subject to.

Check out our other articles related to PCI DSS 3.0 here. Want to learn more about how the PCI DSS applies to your business or small business data security in general? Click here or give us a call at 1-800-825-3301 x 2. We’d be happy to help.

Leave a Comment